changing the TLS version in SMTPMailService for Integrator

This Q&A forum allows users to post and respond to "How Do I Do ....." questions. Please do not use to report (suspected) errors - you must use your regional help desk for this. The information contained in this forum has not been validated by LANSA and, as such, LANSA cannot guarantee the accuracy of the information.
Post Reply
dhnaigles
Posts: 54
Joined: Wed Feb 03, 2016 1:34 am
Location: Marlborough, MA, USA

changing the TLS version in SMTPMailService for Integrator

Post by dhnaigles » Thu Oct 21, 2021 2:53 am

We are trying to send emails using the SMTPMailService with SECURE(*EXPLICIT) for TLS sessions as this is required by Microsoft's Outlook 365 Exchange server. Integrator by default uses TLS 1.0, but Microsoft has changed some of their requirements and we are getting failures (not all the time) due to the TLS version. Microsoft wants us to send the mail with TLS 1.2. Does anyone know how to change the TLS version used when sending and email, either by a SET command or something the SMTPMailService.properties file? Any assistance would be most appreciated.
David

caseywhite
Posts: 142
Joined: Thu May 26, 2016 1:17 am

Re: changing the TLS version in SMTPMailService for Integrator

Post by caseywhite » Thu Oct 21, 2021 4:54 am

I haven't tried this solution but could what is suggested in the post below work by adding this SystemDefault.properties or SMTPMailService.properties?

https://stackoverflow.com/questions/471 ... use-tls1-2

PatrickF
Posts: 12
Joined: Thu Nov 26, 2015 1:31 pm

Re: changing the TLS version in SMTPMailService for Integrator

Post by PatrickF » Thu Oct 21, 2021 1:17 pm

I am working with a customer at the moment using POP3 with LANSA Composer having the same issue. I see this link https://docs.microsoft.com/en-us/micros ... -worldwide. Seems flaky where it sometimes connects and other times does not. I wonder if we are in the transition period while Microsoft is cutting over.
I hope the setting for TLS version in SystemDefault.properties that we applied a few years ago for HTTPS connections will apply for POP3 and SMTP.

BrendanB
Posts: 66
Joined: Tue Nov 24, 2015 10:29 am

Re: changing the TLS version in SMTPMailService for Integrator

Post by BrendanB » Thu Oct 21, 2021 1:28 pm

I remember at JDK 7.0, the following was useful

To enable JDK 7.0 TLS v1.0, v1.1 and v1.2 support for the default JSSE provider.

Add the following property to system/SystemDefault.properties

com.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2

Possible options

SSLv3 : sets SSL V3.0
SSL_TLS : sets SSL V3.0 and TLS 1.0
SSL_TLSv2 : sets SSL V3.0, TLS 1.0, TLS 1.1, and TLS 1.2
TLS : sets TLS 1.0
TLSv1 : sets TLS 1.0
TLSv11 : sets TLS 1.1
TLSv12 : sets TLS 1.2

so it may be worth trying that.

dhnaigles
Posts: 54
Joined: Wed Feb 03, 2016 1:34 am
Location: Marlborough, MA, USA

Re: changing the TLS version in SMTPMailService for Integrator

Post by dhnaigles » Thu Oct 21, 2021 11:11 pm

Thank you, everyone! We will see how this works and I will let you know. I appreciate all your assistance. I can always count on this forum.
David

pkoopmanpk
Posts: 32
Joined: Wed Apr 26, 2017 7:12 pm

Re: changing the TLS version in SMTPMailService for Integrator

Post by pkoopmanpk » Tue Oct 26, 2021 1:45 am

We're having the exact same problem on our IBM i, so I'll add my findings here.

The error I get is: Could not convert socket to TLS

It started around october 5 with 1 error on that day, but it grew to around 25% errors over the following days.

I found a TLS tip from Lansa here: https://www.lansa.com/support/tips/t0633.html

According to them the best solution is to install JDK 8.0 32/64bit, so I did a JAVA *VERSION

Code: Select all

java version "1.8.0_261"                                                                    
Java(TM) SE Runtime Environment (build 8.0.6.15 - pap3280sr6fp15-20200724_01(SR6 FP15))
IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc-32-Bit 20200724_452227 (JIT enabled, AOT enabled)
OpenJ9   - 4ce4b9d
OMR      - 08b0594
IBM      - 70917a2)
JCL - 20200720_01 based on Oracle jdk8u261-b13
Just to be sure I also added the following line to system/SystemDefault.properties

Code: Select all

com.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2
After restarting de Integrator service I still got an error.

I found the following link on this error at Microsoft: https://docs.microsoft.com/en-us/micros ... -worldwide

So I also tried to force TLS 1.2 by adding the following lines to system/SystemDefault.properties

Code: Select all

com.ibm.jsse2.overrideDefaultTLS=true
com.ibm.jsse2.overrideDefaultProtocol=TLSv12
That also didn't help with the error.

dhnaigles
Posts: 54
Joined: Wed Feb 03, 2016 1:34 am
Location: Marlborough, MA, USA

Re: changing the TLS version in SMTPMailService for Integrator

Post by dhnaigles » Tue Oct 26, 2021 6:27 am

Like the previous poster, I have tried everything, but it still says that we are posting via TLS 1.0. I looked at the tips referred to and they are of no use whatsoever. If anyone has any other ideas (ALICK, WHERE ARE YOU???), I'd really appreciate it. We are getting this error on almost 30% of all our emails.

pkoopmanpk
Posts: 32
Joined: Wed Apr 26, 2017 7:12 pm

Re: changing the TLS version in SMTPMailService for Integrator

Post by pkoopmanpk » Thu Oct 28, 2021 5:56 pm

I got the following suggestion from Lansa Support Benelux.

---
a) Perhaps you will need to adjust the time-out value of the SSL handshake.

The main configuration for the SSL timeout is in the IBM file, as described here:
https://www.ibm.com/support/pages/setti ... t-variable

You can find the IBMSLAPD.CONF file (and the log file) here :
https://www.ibm.com/docs/en/sdse/6.4.0? ... -locations

b) As the error indicates : "Remote host closed connection during handshake" you should try to get the information / log files from the Remote machine, in order to see what the true issue is.
---

As I am a developer, this was way to technical for me, so we forwarded it to our IBM support. We also forwarded a request to network/mail support to find out if we can get Exchange logs.

pkoopmanpk
Posts: 32
Joined: Wed Apr 26, 2017 7:12 pm

Re: changing the TLS version in SMTPMailService for Integrator

Post by pkoopmanpk » Mon Nov 01, 2021 8:00 pm

This morning we received an a new error from Microsoft:

- 421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

So it looks like Lansa Integrator still uses TLS 1.0

I also found a new link which might be a clue: https://stackoverflow.com/questions/471 ... use-tls1-2
It didn't work for me in one pretty old app and I couldn't realize why. After some research I found that the javax.mail version in the app dependencies was 1.4. You must upgrade to at least 1.5.
And while searching in java jars:
…\jsm\instance\jar\jsmmail.jar\META-INF\maven\com.sun.mail\javax.mail\pom.properties

Code: Select all

#Generated by Maven
#Wed Mar 06 15:54:51 PST 2013
version=1.4.7
groupId=com.sun.mail
artifactId=javax.mail
It looks like jsmmail is not supporting TLS 1.2.

Theo de Bruin
Posts: 20
Joined: Wed Feb 10, 2016 8:41 pm

Re: changing the TLS version in SMTPMailService for Integrator

Post by Theo de Bruin » Wed Nov 03, 2021 8:41 am

Hi David / Peter,

Please send me an email for more info on this subject, or contact your local support for
an updated encryption / jsmmail.jar file.

Post Reply